From dd5ae4c36c89da5dbe8d1628939b26c00db98753 Mon Sep 17 00:00:00 2001 From: Przemyslaw Kedzierski Date: Tue, 9 Dec 2014 12:17:24 +0100 Subject: bus-proxy: cloning smack label When dbus client connects to systemd-bus-proxyd through Unix domain socket proxy takes client's smack label and sets for itself. It is done before and independent of dropping privileges. The reason of such soluton is fact that tests of access rights performed by lsm may take place inside kernel, not only in userspace of recipient of message. The bus-proxyd needs CAP_MAC_ADMIN to manipulate its label. In case of systemd running in system mode, CAP_MAC_ADMIN should be added to CapabilityBoundingSet in service file of bus-proxyd. In case of systemd running in user mode ('systemd --user') it can be achieved by addition Capabilities=cap_mac_admin=i and SecureBits=keep-caps to user@.service file and setting cap_mac_admin+ei on bus-proxyd binary. --- units/user@.service.in | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 units/user@.service.in (limited to 'units/user@.service.in') diff --git a/units/user@.service.in b/units/user@.service.in deleted file mode 100644 index 1e21d51aae..0000000000 --- a/units/user@.service.in +++ /dev/null @@ -1,19 +0,0 @@ -# This file is part of systemd. -# -# systemd is free software; you can redistribute it and/or modify it -# under the terms of the GNU Lesser General Public License as published by -# the Free Software Foundation; either version 2.1 of the License, or -# (at your option) any later version. - -[Unit] -Description=User Manager for UID %i -After=systemd-user-sessions.service - -[Service] -User=%i -PAMName=systemd-user -Type=notify -ExecStart=-@rootlibexecdir@/systemd --user -Slice=user-%i.slice -KillMode=mixed -Delegate=yes -- cgit v1.2.3-54-g00ecf